From f09416887b12fc0c359a66fcd7c91622f37ac685 Mon Sep 17 00:00:00 2001 From: CharlesLR-sekoia Date: Thu, 12 Sep 2024 10:33:25 +0200 Subject: [PATCH 1/2] update mimecast defender stormshield docs --- docs/integration/categories/email/o365.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/integration/categories/email/o365.md b/docs/integration/categories/email/o365.md index aeae700f53..9a08e1252c 100644 --- a/docs/integration/categories/email/o365.md +++ b/docs/integration/categories/email/o365.md @@ -6,7 +6,6 @@ type: intake - **Vendor**: Microsoft - **Plan**: Defend Core & Defend Prime - **Supported environment**: Cloud -- **Version compatibility**: - **Detection based on**: Telemetry / Alert - **Supported application or feature**: From d84379cc35e5bae7643c2e2508781a1ff9243aea Mon Sep 17 00:00:00 2001 From: CharlesLR-sekoia Date: Thu, 12 Sep 2024 10:34:08 +0200 Subject: [PATCH 2/2] up --- .../email/mimecast_email_security.md | 32 +++++++++++++------ .../endpoint/microsoft_365_defender.md | 6 ++-- docs/integration/categories/iam/entra_id.md | 2 +- .../stormshield_network_security.md | 30 +++++++++-------- 4 files changed, 42 insertions(+), 28 deletions(-) diff --git a/docs/integration/categories/email/mimecast_email_security.md b/docs/integration/categories/email/mimecast_email_security.md index dfc0a18915..18b3c5ee87 100644 --- a/docs/integration/categories/email/mimecast_email_security.md +++ b/docs/integration/categories/email/mimecast_email_security.md @@ -30,7 +30,7 @@ A secure email gateway to block spam, viruses, and malware. - The Mimecast administrator must be assigned a Role with the following criteria. - Read and Edit API Application Permissions under the Service Menu. - Security Permissions setting must permit the Management of Application Roles. - - The generated API key must be a Mimecast Administrator with at least the Security Events and Data Retrieval | Threat and Security Events (SIEM)| Read permission. + - The generated API key must be a Mimecast Administrator with at least the Security Events and Data Retrieval | Threat and Security Events (SIEM) and Threat and security statistics | Read permission. ### Transport Protocol/Method @@ -52,21 +52,33 @@ A secure email gateway to block spam, viruses, and malware. #### Create API credentials 1. Login to **Mimecast Administration Console** -2. Navigate to **Services | API and Platform Integrations** -3. Locate the following **Mimecast API 2.0** tile and click on **Generate Keys.** -4. After reading the **Terms & Conditions**, complete the **I accept** check box to enable the **Next** button to progress onto the next step. -5. Complete the **Application Details** section. -6. Please provide details for a **Technical Point of Contact**. -7. Review the Summary information for the API application and click on **Add** if you are happy to proceed with creating the application. -8. The wizard completes and displays a pop-up window including your `Client ID` and `Client Secret` key data. +2. Navigate to **Account** > **Roles** > **New Role** +3. Name the role as you wish, for instance "Sekoia" +4. Add the following roles under the section called **Security Events and Data Retrieval**: + - **Threat and security svents (SIEM)** with READ permission, + - **Threat and security statistics** with READ permission. +5. Navigate to **Services | API and Platform Integrations** +6. Locate the following **Mimecast API 2.0** tile and click on **Generate Keys.** +7. After reading the **Terms & Conditions**, complete the **I accept** check box to enable the **Next** button to progress onto the next step. +8. Complete the **Application Details** section by providing: + - Application Name: Select **SIEM Integration**, + - Description (Optional), + - Integration Partner (Optional), + - Products: Select all products, + - Role: Select the "Sekoia" role created above. +9. Complete the **Notifications** section by providing: + - Technical Point of Contact: Write the name of the administrator to be contacted if you encounter any issue with the API, + - Email : Write the administrator's email. +10. Validate the form and Click on **Add and Generate Keys** +11. The wizard completes and displays a pop-up window including your `Client ID` and `Client Secret` key data. ### Instruction on Sekoia -### Create your intake +#### Create your intake 1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Mimecast Email Security`. 2. Copy the associated Intake key -### Pull your logs on Sekoia.io +#### Pull your logs on Sekoia.io Go to the Sekoia.io [playbook page](https://app.sekoia.io/operations/playbooks), and follow these steps: diff --git a/docs/integration/categories/endpoint/microsoft_365_defender.md b/docs/integration/categories/endpoint/microsoft_365_defender.md index d384bc12ae..46ecac648d 100644 --- a/docs/integration/categories/endpoint/microsoft_365_defender.md +++ b/docs/integration/categories/endpoint/microsoft_365_defender.md @@ -3,12 +3,12 @@ name: Microsoft 365 Defender type: intake ## Overview -- **Vendor**: +- **Vendor**: Microsoft - **Plan**: Defend Core & Defend Prime - **Supported environment**: - **Version compatibility**: - **Detection based on**: Alert, Telemetry -- **Supported application or feature**: +- **Supported application or feature**: see section below **This Intake was previously called Microsoft Defender for Endpoints.** @@ -17,8 +17,6 @@ Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suit This setup guide describes how to forward events produced by `Microsoft 365 Defender` to Sekoia.io XDR. - - ## Microsoft 365 Defender event types supported Here is a list of all the Microsoft 365 Defender event types supported by this integration: diff --git a/docs/integration/categories/iam/entra_id.md b/docs/integration/categories/iam/entra_id.md index 24084c5721..88c65a1fdd 100644 --- a/docs/integration/categories/iam/entra_id.md +++ b/docs/integration/categories/iam/entra_id.md @@ -3,7 +3,7 @@ name: Microsoft Entra ID (Azure AD) type: intake ## Overview -- **Vendor**: +- **Vendor**: Microsoft - **Plan**: Defend Core & Defend Prime - **Supported environment**: SaaS - **Detection based on**: Telemetry diff --git a/docs/integration/categories/network_security/stormshield_network_security.md b/docs/integration/categories/network_security/stormshield_network_security.md index a81db23ac1..4738527b79 100644 --- a/docs/integration/categories/network_security/stormshield_network_security.md +++ b/docs/integration/categories/network_security/stormshield_network_security.md @@ -11,25 +11,36 @@ In this documentation we will explain how to collect and send Stormshield Networ - **Vendor**: Stormshield - **Plan**: Defend Core & Defend Prime - **Supported environment**: On prem -- **Version compatibility**: +- **Version compatibility**: 4.8.2 and newer - **Detection based on**: Alert, Telemetry - **Supported application or feature**: Network device logs, Network protocol analysis, SSL/TLS inspection, Anti-virus +## Step-by-Step Configuration Procedure +### Instruction on Sekoia +#### Create your intake +Everything you need to do for this part of the configuration is described [here](/xdr/features/collect/intakes). +1. Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the `Stormshield Network Security`. +2. Copy the associated Intake key -## Configure +### Instructions on the 3rd Party Solution This section will guide you to forward Stormshield SNS logs to Sekoia. -### Create the intake +#### Import the intake certificate -Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format Stormshield Network Security. +On a device, please download the [Sekoia.io intake certificate](https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem) -### Import the intake certificate +1. Log on the UTM administration console +2. Click `Configuration` tab +3. On the left panel, Click `Objects` > `Certificats and PKI` +4. Click `+ Add` +5. Select the intake certificate +6. Click `Import` -On a device, please download the [Sekoia.io intake certificate](https://app.sekoia.io/assets/files/SEKOIA-IO-intake.pem) +#### Configure the log forwarding 1. Log on the UTM administration console 2. Click `Configuration` tab @@ -44,16 +55,9 @@ On a device, please download the [Sekoia.io intake certificate](https://app.seko 11. In the advanced configuration section, paste the intake key 12. Click `APPLY` -### Configure the log forwarding - -You have to go on your Sekoia.io instance to generate an "intake key". -Everything you need to do for this part of the configuration is described [here](/xdr/features/collect/intakes). - -Finally, to push logs, you have to [configure](/integration/ingestion_methods/index) some filters and rewrite rules in Syslog that will add the proper “intake key” considering your logs. {!_shared_content/operations_center/integrations/generated/79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_sample.md!} - {!_shared_content/integration/detection_section.md!} {!_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md!}